Enable Password Authentication for OPENVPN

Enable Password Authentication for OPENVPN

1. Server Configuration

1. Modify the main configuration file of openvpn and add the following content:

[Root @ ttt openvpn] # cat/etc/openvpn/server. conf | more

######### Auth password ########
Script-security 3 ### -- add script processing, such as password verification
Auth-user-pass-verify/etc/openvpn/checkpsw. sh via-env ### specify only authentication scripts
Client-cert-not-required ##### User/Pass authentication is used if the CA certificate is not requested. If both the certificate and password authentication are enabled, comment out the line.
Username-as-common-name ### use the UserName provided by the customer as the Common Name

############################

2. Place checkpsw. sh in the script path in the configuration file.

[Root @ ttt openvpn] # cat checkpsw. sh
#! /Bin/sh
######################################## ###################
# Checkpsw. sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# A plain text file. The passfile shoshould simply contain
# One row per user with the username first followed
# One or more space (s) or tab (s) and then the password.


PASSFILE = "/etc/openvpn/psw-file"
LOG_FILE = "/var/log/openvpn-password.log"
TIME_STAMP = 'date "+ % Y-% m-% d % T "'

######################################## ###################

If [! -R "$ {PASSFILE}"]; then
Echo "$ {TIME_STAMP}: cocould not open password file \" $ {PASSFILE} \ "for reading." >$ {LOG_FILE}
Exit 1
Fi

CORRECT_PASSWORD = 'awk '! /^ ;/&&! /^ #/& $1 = "'$ {username}'" {print $2; exit} '$ {PASSFILE }'

If ["$ {CORRECT_PASSWORD}" = ""]; then
Echo "$ {TIME_STAMP}: User does not exist: username = \" $ {username} \ ", password = \" $ {password }\". ">>$ {LOG_FILE}
Exit 1
Fi

If ["$ {password}" = "$ {CORRECT_PASSWORD}"]; then
Echo "$ {TIME_STAMP}: Successful authentication: username = \" $ {username} \ "." >>$ {LOG_FILE}
Exit 0
Fi

Echo "$ {TIME_STAMP}: Incorrect password: username = \" $ {username} \ ", password = \" $ {password} \ "." >$ {LOG_FILE}
Exit 1

3. Grant the script execution permission

[Root @ ttt openvpn] # chmod + x checkpsw. sh

4. Prepare the user name and password authentication file. Separate the user name and password with spaces and ensure that the openvpn start user can read the file.

[Root @ ttt openvpn] # cat psw-file
Client01 123456
Client02 123456789

For the sake of security, change the psw-file Permission as little as possible

[Root @ ttt openvpn] # chmod 400 psw-file

[Root @ ttt openvpn] # chown nobody. nobody psw-file

5. Restart the service process of openvpn

2. Modify the client configuration file and add the following line

Auth-user-pass

3. Enable windows client for Password Authentication